Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I write a Rest Query to fetch all unsaved searches along with userid ( optional )

splunkfriend123
Engager
‎06-27-2022 07:25 AM

Hi Team,

While exploring Splunk documentation and few scenarios ,

noticed that there is Rest approach to extract  saved one. 

But i would like to extract unsaved ( adhoc ) searches performed to understand patterns and load

1. Unsaved searches performed on given index or all indexes along with the query used. 

I found below threads which can be used to fetch saved searches 

https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-ap... 

https://community.splunk.com/t5/Splunk-Search/Listing-all-saved-searches-from-all-apps-via-REST-with...

Is there any Rest based query which can be used for extracting to find adhoc searches performed on splunk to understand load patterns.

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-27-2022 11:41 AM

I'm not aware of a REST command for that specific use case, but you can use REST to run a search for unsaved (ad-hoc) searches.  Start with this search

index=_audit source=audittrail sourcetype=audittrail action=search savedsearch_name=""

Finding searches against a specific index is challenging.  Index names may or may not be specified in the query text.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

splunkfriend123
Engager
‎06-28-2022 03:17 AM

Hi @richgalloway 

Thanks for your quickresponse.

Currently i am looking for Rest based query.

With below query i am able to find saved searches , not sure how to tweak below query to cater my need to fetch unsaved / adhoc searches performed. 

Query to fetch saved searches : 

| rest /servicesNS/-/-/saved/searches splunk_server=local 

https://community.splunk.com/t5/Splunk-Search/How-can-I-get-a-list-of-all-saved-searches-from-all-ap...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-28-2022 05:42 AM

As I wrote earlier, there is no REST command to fetch ad-hoc searches.  You can, however, use REST to submit a new search job (using the query provided earlier) to extract ad-hoc search info from the logs.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-27-2022 10:28 AM

Can you just setup MC (monitoring console) and use it to see those searches? 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...